Data privacy can be used for evil, too

By John Cassara, former special agent for the Treasury Department’s Financial Crimes Enforcement Network

In October 2001, shortly before US and coalition forces entered Afghanistan, a Pakistani journalist located and interviewed Osama bin Laden about the recent terrorist attacks against the US. Some of the journalist’s questions dealt with the plot’s financing. Bin Laden was quoted as saying that Al Qaeda and other jihadist groups were not concerned about financial countermeasures because “Al Qaeda is comprised of modern, educated young people who are as aware of the cracks in the Western financial system as they are of the lines in their own hands.”

Fast forward to 2014. Many observers feel the emergence of the Sunni extremist group ISIS in Syria and Iraq poses even more of a risk to the West than Al Qaeda. Recently, an obviously modern, educated ISIS operative published a blog post calling for jihadists to help fund operations using bitcoins – a cyber-currency.

What is it?

Bitcoin is a user payment option that works in a similar way as PayPal, Western Union, Bill Me Later and Google Wallet. There are a couple of distinctions though:

• Bitcoin transactions don’t contain personally identifiable information.
• The open-source software can be modified and improved by any developer.
• Transactions are not reliant on a company, bank or government.
• Bitcoins are accepted in far more countries than PayPal and Western Union.
• Each transaction is digitally authenticated and no two transactions carry the same Bitcoin address.

Bitcoin allows people and businesses to trade directly with others – mostly online – without third-party involvement. Many major retailers are now accepting bitcoin, including Dell, Overstock and Expedia. And there are a growing number of bitcoin ATMs throughout the US. Bitcoin makes transactions across geographies and digital channels more convenient.

Bitcoin and other cyber currencies are popular with libertarians, technophiles, speculators, tax cheats, criminals, and now, possibly, terrorists. Although the IRS has ruled that virtual currency is treated as property for US federal tax purposes, US law enforcement and regulatory and tax agencies are struggling to decide whether or not virtual currencies are real currencies.

Bitcoin users create a bitcoin wallet to hold the currency and from which to transfer bitcoins to another user. The transactions are recorded in the public domain via blockchain. Blockchain is readily available. It anonymizes transactions to safeguard against forgery and fraud. If bitcoin users don’t take steps to anonymize their bitcoins, their transactions can be monitored.

What’s the danger?

Understanding that cyber criminals need absolute anonymity, the ISIS blogger recommends Dark Wallet . . . “a new bitcoin wallet designed to completely hide the activities of its users, providing total online anonymity. It [neutralizes] government regulation that tries to identify bitcoins through associating them with an individual’s wallets. It mixes all transactions together into an indecipherable mess, making bitcoin untraceable. This allows our brothers . . . to avoid government taxes and secretly fund the mujahedeen with no legal danger upon them.”

Dark Wallet fills the need for privacy of legitimate cyber transactions, but its primary purpose is to protect more nefarious ones. According to WIRED, Cody Wilson, one of Dark Wallet’s creators, was quoted as saying that he intends for the software to provide a “private means for black market transactions, whether they’re for non-prescribed medical inhalers, MDMA for drug enthusiasts or weapons.”

The Silk Road case provides a good example of how an online marketplace – where transactions are conducted using virtual currency – can provide a network for nearly untraceable criminal transactions. The site opened in 2011 and in those two years, the FBI estimates that it generated revenue worth more than 9.5 million bitcoins – worth at the time about US$1.3 billion. In the Silk Road case, clever cyber sleuthing by the FBI and overseas counterparts resulted in the arrest of the primary owner operator and associates in multiple countries. By and large, though, our countermeasures are still not enough to stop criminal use of cyber currencies.

What should we do?

In my first book, Hide & Seek: Intelligence, Law Enforcement and the Stalled War on Terror Finance, I argued that the US government spent an incredible amount of resources after September 11 looking for terrorist financing in many of the wrong places. Moreover, (because of bureaucratic interests and myopia) our primary countermeasure to terror finance was the Bank Secrecy Act. The law and succeeding regulations were largely unsuccessful at uncovering terrorism financing because the financial intelligence was developed to fight the War on Drugs. Unlike the War on Drugs – where large amounts of dirty money sloshed around primarily Western-style financial institutions – the War on Terror confronted comparatively small amounts of money that sometimes used opaque alternative or underground financial systems generally outside of Western scrutiny.

It was like trying to fit a square peg in a round hole. By and large, it didn’t work. As Osama bin Laden said, jihadists were aware of the cracks and the barriers and simply took prudent steps to go around them.

I’m afraid bitcoins and other cyber currencies are another crack that will be exploited by our adversaries. And this one is as wide as the Grand Canyon.

New rules and regulations are not going to solve this problem. As the 9/11 Commission said, we need to develop imaginative countermeasures.

Is there a data and analytics solution?

I recently had the good fortune of reading Chris Whalen’s master’s thesis on the “National Security Implications of Digital Currency.” Chris’ ability to provide both the context of the development of cyber currency and sketch the coming threats is impressive. Having no technical background myself, I shared his research with John Stultz, SAS Senior Solutions Architect. I asked him if there could possibly be a data and analytics solution that could provide the authorities a certain degree of transparency in monitoring dark cyber transactions.

John found the topic fascinating, and he accepted the challenge. In summary, he picked up on Chris’ observation that, “Detailed information concerning transactions can be derived through querying the blockchain.” John feels that those transactional data events could be queried in near-real time.

Chris continued, “Bitcoin wallet software, which provides access to the Bitcoin system, is available for most mobile devices and computer systems. Each device is a node on the system that is able to retrieve the same data feed as any of device on the network. Each device is subject to the same rules and processes that occur on the system. Attaching an identity to the user of the software would provide a venue for establishing beneficial ownership and control of digital currency that was derived from illicit financial activities.”

John felt this information was helpful since it implies there would be data elements that could be used for entity resolution in the absence of personal identifier information. Or there might be data elements (time stamps, user software device identifiers, log data, geo data from cell tower transmitters …) that coincides with the blockchain information (time stamps or other identifiers) that would support entity resolution in a way that would allow SAS analytics to detect behavior - who is doing what.

Quoting John’s email to me; “Law enforcement, government bodies and financial services organizations can use network analysis to build links between data entities (data from bitcoin queries or bitcoin wallet software information that is paired to an individual’s mobile device or computer system — if that information is available) to uncover hidden relationships – the context of transactions when a person’s identity is unknown.

Network analysis on this big data in a near-real time data streaming environment would support alerting and triage on behavioral patterns within the world of bitcoin transactions. It just depends on what type of data is actually available.”

John says that even at the lowest level of the bitcoin queries, agencies could identify anomalies and aberrant behaviors that could triaged and then analyzed further for possible connections.

“There could be other data environments that could help enable the alerting, such as social media, cultural unrest, news feeds on bitcoin sales activity or black market web traffic for goods being sold,” John writes. “Assumptions of geography can be made – given the time stamps of bitcoin transactions and where in the world it is day or night. There can be all sorts of ways of embellishing the data to help provide contextual analysis. This approach reminds me somewhat of how federal agencies use analytics for detecting insider trading: Behavioral indicators are generated and incongruous behavior can be quickly detected.”

Suggestion

As I said earlier, many of the major retailers are now accepting payment in bitcoin and other digital currencies. Non-profits, universities and travel agencies are also jumping on board. But even as acceptance grows, there are still outstanding concerns. For instance, although US regulators recently voted to allow political action committees to accept contributions via bitcoin, they imposed a US$100 limit. Commissioner Ellen Weintraub, a

Democratic appointee, told the Washington Post, “We have to balance a desire to accommodate innovation, which is a good thing, with a concern that we continue to protect transparency in the [US political] system and ensure that foreign money doesn’t seep in.”

Other agencies and organizations concerned with the well-being of the end consumer – and society - have also raised concerns:

• The CFPB (Consumer Financial Protection Bureau) has issued a report warning US consumers of the danger bitcoin poses for fraud, online scams and hackers.
• Attorney Chris Dore, part of the Chicago legal team at Edelson PC, has filed class action suits against Mt. Gox and Coinabul for alleged fraud – raising the awareness that regulations must be imposed.
• The US, Russia and the Philippines are among the first nations to issue formal advisories against the use of bitcoin.
• New York is discussing a plan to require bitcoin businesses to license in the state before buying, selling or storing bitcoins – which sends a strong message to other states.

Although bitcoins are only one tiny piece of the digital currency landscape, the way we handle them will inform our decisions for managing future cyber currencies. Law enforcement agencies, financial services organizations and government should investigate the value of advanced analytics in protecting against illegal activities including money laundering, terrorist financing, fraud and tax evasion – analytics may be the only protection.